Getting a handle on security certificates

TOP STORY
Getting a handle on security certificates

By Susan Bradley

We rely on SSL certificates for safe Web surfing and secure online transactions; but how many of us understand the issues surrounding security certs — or those related error messages? Here's what you need to know about SSL certificates — and how update KB 2661254 helps solve certificate problems.

Certificate size vs encoding key size

" you'll see that the browser has a cipher strength of 256 bits — significantly fewer than the 1024 bits we now require for SSL certificates"

The certificate's public key's size has nothing to do with the'cipher strength'. The certificate's public keyis a large prime number andshouldbe big enough to make ithard to find the related private key. Deriving the private key allows the creation of bogus certificates butso far it's been easier to steal private keys.

The cipher key size is used to encode the data has no relationship to the certificate's public key size and we are not being cheated as a result. I would trust a strong 256 bit cipher over the weaker 1024 bit certificate.

"it's inadequate to protect certificates." - nothing but the size of the public key protects the certificates since they are sent in plain text during the SSL/TLS handshake.

In the typical twisted Microsoft fashion, evidenced in coding samples where comparisons are written in inverted order (3 == x), the question in the mixed-mode page security warning is inverted: "do you want to view ONLY the webpage content that was delivered securely?" Susan's suggested answer (she gives no reason why she recommends it and presents the consequences of that choice wrong) leads to ALL CONTENT being shown and is often the correct answer. The default answer of Yes means to skip non-secure content and is the safest option, of course. But it may miss crucial parts of information that is why you went to the broken page in the first place.

The Following User Says Thank You to stedi For This Useful Post:

OK - I've been putting off this conversation for a long time, because it's hard to post something that points to you being too dumb to live.

Thing is, I just haven't updated my system regularly for more than a decade since I've got programs I run that are probably from the mid 90s that I still like to use and updates just can mess my system up royally.

So when something like this comes along where I know I should do it, I don't know how.

If I click on those KB links that Susan puts in the articles, I can't find anything to download on the page it takes you to, and if I go to the security centre, I don't know how to find the thing she's talking about, as the KB #s don't seem to take you there.

Can someone please, in small steps, show me how to get from what Susan talks about to where I can actually download that particular thing?

If I click on those KB links that Susan puts in the articles, I can't find anything to download on the page it takes you to, and if I go to the security centre, I don't know how to find the thing she's talking about, as the KB #s don't seem to take you there.

Can someone please, in small steps, show me how to get from what Susan talks about to where I can actually download that particular thing?

After the KB 2661254 link, click on Suggested Actions, then the link where it says See Microsoft Knowledge Base Article 2661254 for download links to the update packages.

OK - I've been putting off this conversation for a long time, because it's hard to post something that points to you being too dumb to live.

Thing is, I just haven't updated my system regularly for more than a decade since I've got programs I run that are probably from the mid 90s that I still like to use and updates just can mess my system up royally.

So when something like this comes along where I know I should do it, I don't know how.

If I click on those KB links that Susan puts in the articles, I can't find anything to download on the page it takes you to, and if I go to the security centre, I don't know how to find the thing she's talking about, as the KB #s don't seem to take you there.

Can someone please, in small steps, show me how to get from what Susan talks about to where I can actually download that particular thing?

Thank you so much . . .

If you have legacy software which you really don't want to mess with (which I can understand completely) you really do not want to use the same physical (or virtual) OS to do anything online for which security may be an issue. Susan's patching advice will be of no use to your situation, even if you can get this one patch downloaded and installed. The one patch alone will do nothing to make your otherwise unpatched OS safer to use at secure websites.

Your choices include:

>You can continue to use the machine which does not get updated, and risk your online security. Unacceptable!

>You can convert the older configuration which you do not want to update to a Virtual Machine (or Virtual Hard Drive in Windows 8 Pro) and run it inside a secure OS. This (if you can do it) is reasonably safe, but you would still not want to do anything requiring secure connections from the Virtual OS. For those sites, connect through a fully patched Host OS and its browser. Save the Legacy Virtual OS for those tasks which require the older software which cannot be updated.

>Or you can multiboot, but remember, one side of a multiboot can often see the other side and make changes. Hiding the non-active partition may help, but it is not failsafe. I do multiboot, and have not had issues with security problems jumping from the newer (more secure) OS to the older (out of date) OS. Your mileage may vary.

Of these methods, probably the easiest and safest would be to get a new computer with an OS and software you will faithfully update, and use that computer for sensitive transactions. Second-easiest is to mount the old OS as a Virtual Machine/ Virtual Hard Drive into a newer OS which will be faithfully updated. And use the newer OS for secure sites.

Mutlibooting, and possibly using a second physical hard drive for the second OS, is more complicated, but might actually in this case yield the best results. Keeping the more vulnerable OS on a separate physical drive should minimize any chance of cross-contamination, and will still allow reasonably fast boot times and smooth switching between the two OSes. If the more modern OS supports UEFI Fast-Booting, the transition may be faster still.

Anyway, that's what I would suggest if you have an OS with software which cannot be updated. Maybe someone else has a better suggestion.

Security Warning Advice

As mentioned below by cybercrone, the message shown in Figure 5 of Susan's latest column is confusing at best. The recommendation to select No appears to have the opposite of the desired result. A careful reading of the message would indicate that Yes will be a more secure choice. Has Microsoft documented this cryptic action anywhere?

As mentioned below by cybercrone, the message shown in Figure 5 of Susan's latest column is confusing at best. The recommendation to select No appears to have the opposite of the desired result. A careful reading of the message would indicate that Yes will be a more secure choice.

Yes, that's what stedi pointed out at #3.

Originally Posted by DanMcC

Has Microsoft documented this cryptic action anywhere?

I can't find the IE8 and earlier version, “Do you want to view only the webpage content that was delivered securely?”, except in hundreds of questions to Microsoft.

But the IE9 and IE10 equivalent, “Only secure content is displayed”, is documented: KB2625928

It's ironic that the article page produces these prompts, and Susan says, "It would be best if websites never included unsecured information on a page containing SSL transactions."!

Is there any way to view a list of installed updates by KB number? The article mentions KB 931125, but I have no idea how to check if it is already installed. I am not prepared to wade through the full list of installed updates looking for the KB number at the extreme right of the name. Why does Microsoft not list the number as a separate item from the name?

Is there any way to view a list of installed updates by KB number? The article mentions KB 931125, but I have no idea how to check if it is already installed. I am not prepared to wade through the full list of installed updates looking for the KB number at the extreme right of the name. Why does Microsoft not list the number as a separate item from the name?